Various local exploits
openbsd-dynamic-loader-chpass OpenBSD local root exploit.
Code mostly taken from Qualys PoCs (2019-12-11) for CVE-2019-19726.
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.
openbsd-authroot OpenBSD local root exploit.
Code mostly taken from Qualys PoCs (2019-12-04) for CVE-2019-19520 / CVE-2019-19522.
xlockin OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing aLIBGL_DRIVERS_PATHenvironment variable, becausexenocara/lib/mesa/src/loader/loader.cmishandlesdlopen. OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written to/etc/skeyor/var/db/yubikey, and need not be owned by root.
Local root exploit for Serv-U FTP Server versions prior to 15.1.7
Bash variant of Guy Levin's Serv-U FTP Server exploit (2019-06-13) for CVE-2019-12181.
A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.
S-nail local root exploit.
Wrapper for @wapiflapi's s-nail-privget.c local root exploit (2017-01-27) for CVE-2017-5899.
Directory traversal vulnerability in the setuid root helper binary in S-nail (later S-mailx) before 14.8.16 allows local users to write to arbitrary files and consequently gain root privileges via a .. (dot dot) in the randstr argument.
VMWare Workstation / Player local root exploit.
Based on Jann Horn's PoC (2017-05-21) for CVE-2017-4915.
VMware Workstation Pro/Player contains an insecure library loading vulnerability via ALSA sound driver configuration files. Successful exploitation of this issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.
ktsuss <= 1.4 setuid local root exploit.
Wrapper for John Lightsey's PoC (2011-08-13) for CVE-2011-2921.
Independently rediscovered CVE-2011-2921 while auditing SparkyLinux.
The
ktsussexecutable is setuidrootand does not drop privileges prior to executing user specified commands, resulting in command execution withrootprivileges.SparkyLinux 2019.08 and prior package a vulnerable version of
ktsussinstalled by default.
antiX / MX Linux default sudo configuration persist-config local root exploit.
antiX / MX Linux default
sudoconfiguration permits users in theusersgroup to execute/usr/local/bin/persist-configas root without providing a password, resulting in trivial privilege escalation.Execution via
sudorequiresusersgroup privileges. By default, the first user created on the system is a member of theusersgroup.
Local root exploit for SUID executables compiled with AddressSanitizer (ASan).
Based on 0x27's exploit (2016-02-18) for Szabolcs Nagy's Address Sanitizer local root PoC (2016-02-17).
Use of ASan configuration related environment variables is not restricted when executing setuid executables built with ASan. The
log_pathoption can be set using theASAN_OPTIONSenvironment variable, allowing clobbering of arbitrary files, with the privileges of the setuid user.
Emmabuntüs default sudo configuration autologin_lightdm_exec.sh local root exploit.
Emmabuntüs default
sudoconfiguration permits any user to execute/usr/bin/autologin_lightdm_exec.shas root without providing a password.The
autologin_lightdm_exec.shscript callscpwith user supplied arguments, resulting in trivial privilege escalation.
lastore-daemon local root exploit.
Based on King's Way's exploit (2016-02-10).
The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user in the sudo group to install arbitrary packages without providing a password, resulting in code execution as root. By default, the first user created on the system is a member of the sudo group.